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ABSTRACT 


The certification process can be defined as a comprehensive evaluation of all 
security features, both technical and normtechnical, of an information system. This 
process ensures that the system design and implementation meets a distinct set of 
prescribed security requirements. The accreditation of a system ensures that networks, 
applications, and operating systems that make up the system are running at an acceptable 
level of risk. The Designated Approving Authority (DAA) is responsible for deciding 
what systems to approve for accreditation, and assumes the responsibility for running the 
accredited system at an accepted level of risk. This analysis of the certification and 
accreditation process stresses the vital aspects of the process that are of special concern to 
the DAA. The mission drives the process, and influences the ultimate accreditation 
decision. The DAA must understand the fundamental aspects of the certification effort, 
and be able to weigh factors such as the funding, time, and other resources available for 
the effort, as well as understand the scope of the system as a whole. This thesis covers the 
vital aspects of certification and accreditation, and provides the new DAA with a guide to 


the process. 
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I. INTRODUCTION 


The certification process can be defined as a comprehensive evaluation of all 
security features, both technical and normtechnical, of an information system. This 
process ensures that the system design and implementation meets a distinct set of 
prescribed security requirements. The accreditation of a system ensures that networks, 
applications, and operating systems that make up the system are running at an acceptable 
level of risk based on the results of the certification process. The Designated Approval 
Authority (DAA) is the executive with the formal responsibility of authorizing the 
operation of a system. The DAA is responsible for deciding what systems to approve for 
accreditation, and assumes the responsibility for running the accredited system or 


network at an accepted level of risk. 


Although the DAA is an executive with the authority to evaluate the system and 
approve it for accreditation, he or she usually has little knowledge of computer security 
functions. Ensuring that all facets of the certification process have been explored, and 
that the access, integrity, availability, functionality, and performance of the system are 


acceptable, is a difficult task. 


The background of the DAA is usually that of upper management. Thus, the 
DAA relies on others for technical advice as it pertains to the computers and systems for 
which they are responsible. Relying on technical advisors and the people whom the 
DAA hires to consult on various system design principles and procedures can lead to 
communication problems and misunderstandings. For example, if the technical advisor 
to the DAA cannot communicate the concepts entailed in the certification process or 
relate the notion of residual risk to the DAA in a clear and concise nomtechnical manner, 
the DAA will not be adequately informed or prepared to make the appropriate 


accreditation decision. 


For reasons such as this it is important to educate the DAA on how to understand 
the evaluation of a particular certification and accreditation process to ensure it meets all 
prescribed requirements. This can be accomplished by providing proper guidance and 


education to the DAA, as well as by facilitating communication between the DAA and 
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the technical staff. Because each certification and accreditation process has unique 
characteristics, this thesis should in no way be considered a checklist or alternative to the 
rigorous certification and accreditation process already in use. Instead, it will solidify 
and document the key concepts of the certification and accreditation process to clarify the 


key factors and aid the DAA in making an informed decision. 


A. RESEARCH QUESTIONS 
The following questions were used to guide the research and development of this thesis: 


1. How does one decide which factors of the certification and accreditation 


process are key and which are secondary? 
2. What is the justification for labeling those pieces left out of as not vital? 


3. What are the main roles of the DAA in the certification and accreditation 


process? 


B. SCOPE OF RESEARCH 


This thesis will cover the vital aspects of the certification and accreditation 
process and will provide the new DAA with a tool with which to facilitate the decision 
about a particular certification. Because the DAA has the formal responsibility of 
authorizing the operation of a system, this information will ensure that the DAA is fully 
abreast of all components of the certification and accreditation process before the 
decision to acredit the system is made. The main goal of this thesis is to provide 
guidance, to the potential DAA, to foster a better understanding of the process of 


evaluating a particular system for accreditation. 


C. METHODOLOGY 


The information that was collected for this thesis was obtained using the following 


methods: 


e Government Documents: 


O 


O 


DoD 5200.40 — DoD Information Technology Security Certification and 
Accreditation Process (DITSCAP) 


DoD 8510.1-M — DoD Information Technology Security Certification and 
Accreditation Process (DITSCAP) Manual 


DoD Directive 8500.1 — Information Assurance (IA) 
DoD Directive 8500.2 — Information Assurance (IA) Implementation 


NSTISSI No. 1000 — National Information Assurance Certification and 
Accreditation Process (NIACAP) 


OMB Circular A-130, Appendix III 


NIST Special Pub 800-37 — Guidelines for the Security Certification and 


Accreditation of Federal Information Technology System 


NCSC-TG-031 - Certification and Accreditation Process Handbook for 


Certifiers 


NCSC-TG-029 v1 - Introduction to Certification and Accreditation 


e Articles, White Papers and Technical Reports 


e Interviews with individuals who have participated regularly in the C & A process 


This research was complemented with input from many other sources to help 


describe the process. The analysis of documents such as the System Security 


Authorization Agreement (SSAA), which are key in the certification and accreditation 


process, was used as a tool with which to comprehend the process on a higher level. 


This, coupled with the interviews and the literature, aimed to describe the main role and 


knowledge base of the DAA. 


Many papers, articles and documents were reviewed to understand the process in 
detail. The DITSCAP Manual, 8510.1-M [1], describes the Department of Defense 
certification and accreditation process. This Manual develops a standard certification and 
accreditation process for the DoD and supports the DITSCAP 5200.40 document by 
providing a detailed approach to the activities surrounding the C&A process. The 


DITSCAP Manual is described in detail in later chapters. 


Department of Defense Directive 8500.1 establishes policy and assigns 
responsibilities to DoD information assurance (IA) through a defense-in-depth approach 
that integrates the capabilities of personnel, operations, and technology, and supports the 
evolution to network centric warfare [2]. This directive applies to all DoD systems and 
establishes policy to ensure that the systems maintain an appropriate level of 
confidentiality, integrity, and availability. Department of Defense Instruction 8500.2 
describes in detail the implementation procedures necessary to achieve the procedures 
directed in 8500.1. A detailed description of 8500.2 is provided in subsequent chapters 
Ib 


The Office of Management and Budget (OMB) Circular A-130 [4], entitled 
"Management of Federal Information Resources," establishes policy that Federal 
agencies must follow when acquiring, using, and distributing government information. 
This Circular establishes policy for the management of Federal information resources. 
The appendices contain procedural and analytic guidelines for implementing specific 
aspects of these policies. Appendix III of OMB A130 establishes a minimum set of 
controls to be included in Federal automated information security programs, and assigns 


Federal agency responsibilities for the security of automated information. 


The National Information Assurance Certification and Accreditation Process 
(NIACAP) is defined by the National Security Telecommunications and Information 
System Security Instruction (NSTISSI) No. 1000 [5], to establish a standard national 
process, activities, tasks and management structure to certify and accredit systems that 
will maintain the information assurance and security posture of a system or site. The 
NIACAP is used when accrediting non DoD federal government systems, and is very 


closely related to the DITSCAP. 


The goal of this research was to understand exactly what the DAA should know 
and understand about the certification and accreditation process in order to adequately 
approve a system for accreditation. Not only do the technical aspects of a system play a 
large part in the decision to accredit, but also other things, such as mission, physical 
security, system boundaries, and the user’s level of experience and/or clearances, are all 
facets of the larger picture that must be understood. The DAA must understand the 
fundamental aspects of the certification effort, and be able to weigh factors such as the 
money, time, and resources available for the effort, as well as understand the scope of the 
system as a whole. The DAA should understand at a high level the requirements of the 
system, and how these requirements are traced into the system to show compliance. The 
DAA must be able to trust the Certifier to make sound technical decisions as they relate 
to the system to be accredited. This trust relationship is a very important factor in the 
process, because the DAA will be relying upon the Certifier to understand the 
requirements, perform the tests and evaluations, and report the finding, as well as prepare 


the accreditation recommendation. 


Particular attention was given to the element of subjectivity in the accreditation 
process. Understanding the subjective aspects of the process is a necessary step in 
ensuring that the ultimate accreditation decision is the right one. To accomplish this, 
interviews and meetings with a variety of specialists in the field were performed to 
further determine specifically which parts of the process may or may not be seen as 
subjective. This is one reason why the DAA must trust the Certifier to make good 
decisions. Perhaps a system is compliant with all stated requirements, implements all 
security policies, but lacks sufficient documentation. It is the responsibility of the 
Certifier and DAA to decide if this system can be accredited. One Certifier interviewed 
stated that he would not accredit a system with poor documentation, while another person 
stated that he had accredited a system with poor documentation with the understanding 
that the documentation would be updated satisfactorily within a certain time limit. This 
illustrates the diversity of opinion of the Certifier and DAAs within the accreditation 
process. The interviews with specialists in the field were further used to analyze how the 


process is conducted in the “real world”. These views will be studied and compared to 


understand how much the DAA knows of the subject, and what parts should be explained 


in more detail. 


Further analysis of the certification and accreditation literature, as well as the 
literature defining the duties and responsibilities of the DAA, will aid in the decision as to 


which vital pieces of the process should be looked at more closely. 


Il. BACKGROUND 


A. THE CERTIFICATION AND ACCREDITATION PROCESS 


The DITSCAP establishes a standardized approach to the certification and 
accreditation process for the Department of Defense. This document specifies tasks and 


activities to be performed when evaluating a system for accreditation. 


The certification and accreditation process is broken up into four phases, as 
defined by the DITSCAP. These phases consist of Definition, Verification, Validation, 
and Post Accreditation. Phase one of the process is Definition. During this phase the 
system mission is defined, the system boundary, resources, and requirements are 
determined, and the level of certification is negotiated. The initial draft SSAA is 


developed, agreed upon, and signed. 


This phase contains three key activities: preparation, registration, and negotiation. 
The preparation activity involves collecting all documents and information pertaining to 
the system to be accredited. The registration activity begins the risk- management process 
by identifying the security requirements, system boundary, and level of effort required to 
complete the certification and accreditation process. The negotiation activity ensures that 
the SSAA correctly defines the level of effort for the system, as well as that all people 
involved in the process are familiar with their roles and responsibilities. The SSAA 
documents the mission and system information, operational and security functionality, 
operational environment, security policies, system security requirements, known security 


problems or deficiencies, and other security-relevant information. 


The certification level is determined by analyzing the system mission, functions, 
security requirements, infrastructure, and users. This information will aid in the 
determination of the degree of confidentiality, integrity, availability and accountability 
required for the system. The certification Level is determined by the level of 
confidentiality, integrity, and availability needed in the system. This determination 
provides the proper degree of assurance that the system will function as specified in the 
system and security requirements. The DAA should understand the degree of assurance 
necessary for the system as well as the necessary safeguards required to implement it. 

| 


For nor intelligence systems, confidentiality provides protection of information from 
unauthorized access. Examples of services that help to ensure confidentiality are access 
control, encryption, object reuse, physical security, TEMPEST techniques, and 
administrative procedures. These techniques help to prevent unauthorized user access, 
interception, and emissions. Integrity is preserved by preventing unauthorized users from 
modifying or deleting information. Access control, digital signatures, configuration 
control, and physical security are all mechanisms that provide integrity services. 
Availability is concerned with the system services being accessible and operational on 
demand by authorized users. The main concern with availability is avoiding denial of 
service attacks by unauthorized individuals. Access control, backups, modularity, 


operations security, and redundancy are all forms of protection against denial of service. 


The DITSCAP defines four levels of certification. Each level provides a 
successively rigorous amount of verification techniques to ensure the system behaves as 
is stated in the requirements definition. Level one requires the completion of the 
minimum security checklist, which is located in Appendix two of the DoD 8510.1-M. 
This checklist ensures that the architecture, design, network rules, integrity, life-cycle 
management, vulnerability assessments, system management, security test and 
evaluations, and penetration testing of the system have been fully analyzed and reviewed. 
Levels two, three and four require the completion of the minimal security checklist, as 
well as independent, in-depth or extensive analysis of the system. These certification 
levels are selected by analyzing certain characteristics of the system to be certified. 
These system characteristics are assigned weights that are totaled to give the appropriate 


certification level. 


During this phase of the process, the DAA should regularly review the system to 
ensure it conforms to the objectives stated in the SSAA. The DAA is also responsible for 
defining the accreditation requirements, obtaining a threat assessment for the system, 
assigning a Certifier to conduct the vulnerability and risk assessments, supporting the 
DITSCAP tailoring and level of effort determination, and approving the SSAA. The 
Certifier as well as the certification Team will support the DAA in any way they can with 


his/her responsibilities. 


Phase two of the process is Verification. This phase begins with refining or 
updating the SSAA to reflect any new changes in the system requirements. This phase 
includes the analysis of the system architecture, software design, network connection rule 
compliance, products to be integrated into the system, life-cycle management, security 


requirements validation procedures, and vulnerability assessments. 


This analysis of the certification process and security requirements is done to 
ensure that they are sufficient and correct, as well as to verify that they are relevant to the 
process and conform to those requirements specified in the SSAA. The certification 
analysis will also confirm that the system design is implementing the requirements as 
stated in the SSAA, as well as ensure that the security critical components of the system 
are working correcting. The last steps in this phase include the development of a Task 
Analysis Summary Report as well as the evaluation and determination of system 
certification readiness. The Task Analysis Summary Report summarizes the findings 
from each of the assessments done during the Certification Analysis and provides 


recommendations. 


During the Verification Phase, the DAA should regularly review the system to 
ensure it is in accordance with the SSAA. The DAA will also be responsible for 
overseeing the system evaluation as well as examining the SSAA to make sure that it 
correctly describes the system, threat, environment, security requirements, vulnerabilities 


to the system, and all other conditions in which the system will be operating. 


The third phase in the process is Validation This phase validates that the findings 
in the Definition and Verification phases have led to the creation of a system that 
performs as stated in the requirements definition, and functions within an acceptable level 
of residual risk. By this time, the system to be accredited has already been integrated, and 
is awaiting the official accreditation decision. Again, the SAA will be reviewed, the 
integrated system will be evaluated, and the final accreditation decision will be made. 
The System Test and Evaluation (ST&E) are performed during the evaluation to ensure 
that the security controls for the system are correctly implemented and working 
efficiently. Risk Assessment and Certification Evaluation Reports are developed and the 


certification statement is made. The certification statement is the report to the DAA on 
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the results of the certification testing. This report will include the recommendation to 


accredit the system or not, or to grant an interim approval to operate (IATO). 


The fourth and final phase in the process is the Post Accreditation Phase. At this 
point the system has already been accredited and must maintain the acceptable level of 
residual risk that was previously agreed upon. The system is monitored regularly to 
ensure that there are no significant changes to the configuration or environment that 
might affect the confidentiality, integrity or availability of the information it contains. 
This monitoring is performed throughout the lifecycle of the system. Review of any 
system changes §$ imperative to ensure that they do not affect the threat level of the 
system. Changes made must be controlled in such a way as to reflect the stated 
configuration management requirements. The accreditation of the system is tightly 
dependent upon the configuration of the system and the way in which it interacts with the 
hardware and software. Any changes made must be reviewed to ensure they do not 


invalidate the accreditation decision. 


iF Roles and Responsibilities 


The main roles in the certification and accreditation process are those of the DAA, 
Certifier, and user representative. Other roles can be added to support the overall 
decision process and mission, and are often necessary to ensure that the process is 
performed as expected, and that the system implements the stated requirements. Often 
the Program Manager and ISSO will be a part of the process. Each of these roles plays a 
major part in each phase of the process, and is responsible for determining the scope of 
the effort as it relates to the mission, resources, architecture and environment. They must 
all work together to ensure that the project stays on schedule, design meets 
implementation, and any threats to the system are adequately managed. During phase 
one of the process it is very important that all roles in the certification effort discuss the 
security requirements, scope, and level of effort. This discussion should lead to a final 


agreement by all parties involved. 


The DAA is the person with the authority to accredit the system. He or she is 


usually in upper management and is responsible for evaluating the mission and resources 
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for the system to be accredited. The DAA approves the system for operating at an 
acceptable level of residual risk. The amount of residual risk deemed acceptable is 
dependent upon many factors, most importantly the criticality of the mission. Depending 
upon mission importance, the residual risk accepted may be significant. It is important to 
understand that this decision is ultimately a management decision and involves many 


factors which the Certifier may or may not know of. 


The Certifier is responsible for providing the technical expertise of the 
certification process and explaining all necessary technical information to the DAA. The 
Certifier may work with a team to conduct the certification process, and must ensure that 
the security requirements are properly documented in the SSAA. The determination as to 
the adequate level of residual risk is made by the Certifier, as well as the recommendation 


as to whether or not the system should be accredited. 


The User Representative is concerned with the systems confidentiality, integrity, 
availability, access, and functionality as it relates to the ultimate mission of the system. 
The user representative represents the user community and assists in the certification and 
accreditation process by helping to define the system operations and functional 


requirements of the system. 


The Program Manager manages each aspect of the system from the original 
concept, to the development, implementation, and system maintenance. The program 
manager is responsible for the system throughout its entire lifecycle, and is responsible 


for ensuring the security requirements are implemented correctly. 


The Information System Security Officer (ISSO) is responsible for monitoring 
and maintaining the security of the system as defined by the SSAA, as well as ensuring 


that the system follows all security requirements as stated in the documentation. 


B. SECURITY CONTROLS AND REQUIREMENTS 


1. DoD Instruction 8500.2, Information Assurance (IA) 
Implementation 


The Department of Defense Instruction 8500.2 implements policy, assigns 


responsibilities, and prescribes procedures for applying integrated, layered protection of 
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the DoD information systems and networks as prescribed in the DoD Directive 8500.1. 


This directive establishes the following responsibilities for the DAAs [3]: 


e Ensure that IA is incorporated as an element of DoD information system 


lifecycle management processes. 


e For DoD information systems under his or her purview, ensure that all [A- 
related positions are assigned in writing, include a statement of IA 
responsibilities, and ensure that appointees to positions receive appropriate 


IA training. 


e Ensure that all IA Managers meet all access requirements and are U.S. 


citizens. 


e Ensure that [A-related events or configuration changes that might impact 


accreditation are reported to affected parties. 


The responsibilities above, as well as those of the IA Manager, IA Officer, and 
Authorized users are key aspects of the process and should be understood and followed 


by the DAA. 


This instruction implements an Information Assurance program designed to 
assess security needs and capabilities, develop security design and configuration that 
adheres to a common architecture, implement required controls or safeguards, perform 


system tests and verification, and ensure proper use of configuration management. 


Risk management is vital in balancing the importance of the information and 
supporting technology to DoD missions against the documented threats and 
vulnerabilities, the trustworthiness of users and interconnected systems, and the 
effectiveness of IA solutions [3]. This directive explains the many different facets of 
DoD IA controls and components, such as audit, access control, and configuration 


management. 


Information assurance levels for DoD information systems are assigned explicit 
IA controls for each system. These levels are defined according to mission assurance 
category (MAC) and confidentiality level. MACs aim to quantify the IA services of 


integrity and availability, and scale them according to mission need, with an emphasis on 
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the “warfighter” needs [3]. MAC I systems require high integrity and high availability, 
MAC II systems require hgh integrity and medium availability, and MAC III systems 
require basic integrity and availability. The confidentiality levels are determined by the 
classification level of the system (classified, sensitive, public). The mission assurance 
categories and confidentiality levels are independent of one another; for example, a MAC 
II system may process classified information while a MAC III system may process public 
information. There are nine different combinations of mission assurance categories and 
confidentiality levels. These define nine baseline IA levels. The set of IA Controls 
applicable to any given DoD information system is a combination of the IA Controls for 
its mission assurance category and the IA Controls for its confidentiality level. All IA 
controls for the nine baseline MAC and Confidentiality levels are described in detail in 
attachments Al through A6 of the 8500.2 Directive. The following table describes the 


set of applicable IA Controls for the nine baseline levels. 


Mission Assurance Category and Confidentiality Level Applicable IA Controls 


MAC I, Classified Attachments Al and A4 


MAC I, Sensitive Attachments Al and A5 


MAC I, Public Attachments Al and A5 


MAC II, Classified Attachments A2 and A4 


MAC II, Sensitive Attachments A2 and A5 
MAC II, Public Attachments A2 and A6 
MAC III, Classified Attachments A3 and A4 


MAC III, Sensitive Attachments A3 and A5 





MAC III, Public Attachments A3 and A6 





Table 1. Table 1. Applicable IA Controls by Mission Assurance Category and 
Confidentiality Level [From 3]. 


This instruction mandates that each DoD information system be reviewed against 
the stated mission assurance category definitions to determine the appropriate MAC 


level. The confidentiality level will be assigned based on the classification or sensitivity 
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of the information processed. These categories and levels determine the appropriate IA 
controls, and constitute the baseline requirements for IA certification and accreditation or 


reaccreditation. 


The following controls are vital in the operation of any system and are 
recommended to increase the security and proper functionality of DoD information 
systems. Depending upon the mission assurance category and confidentiality level 
assigned to the system, these controls may be supplemented with other controls and 


components. Higher levels will require more stringent application of controls. 


a. Auditing 


The auditing of a system is the process of recording, examining, and 
reviewing any or all security relevant activities on the system. The information obtained 


from performing audits is used to detect and deter the misuse of a computer system. 


The auditing of the system should include enough information to 
determine who did what action, the date and time of the action, system location, 
resources involved, and actions involved. The audit contents should be protected against 
unauthorized access, deletion, or modification, and should be reviewed at least weekly 
and kept in backup for any necessary future review. The system should audit successful 
and unsuccessful logons and logoffs, access to security-relevant objects and directories, 
such as opens, closes, modifications and deletions, and any other event that might 
indicate an attempt to violate the security policy of the system [6]. The system should 
have an appropriate Identification and Authentication ([&A) process to authenticate the 
user to the system. This will ensure that each user can be associated with an auditable 


action. I&A will also that ensure only privileged users have access to the system. 


Regular review and testing of the audit procedures and policies by the 
ISSO should be done to ensure that the system is performing as expected. The ISSO can 
use automated tools to validate that users passwords are sufficient and in compliance with 
the documented policies, and use intrusion detection devices and other monitoring tools 


to detect any attacks to the system. 
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Audit requirements will vary depending upon the classification and 
certification level of the system. A higher level will require more stringent auditing 
requirements, testing and documentation. The implementation of the audit requirements 
will vary depending upon the system in question, as well as the characteristics of the 


hardware, software, and firmware involved. 


b. Access Control 


The use of access control policies will determine who is authorized to 
access what resources and how. This policy also states who is not authorized to access 
certain resources. Access control uses password and encryption techniques to ensure that 
only authorized users have access to the data and programs on the machine. Access 
control can also segregate programs and data so that the user in question only sees those 


programs and data that she or he has access to. 


c. End User Training 


The end users of the system should be trained well so that they understand 
the system in question. It is important to provide regular training to all users of the 
system. This training should be complemented with manuals and other documentation 
that can be used if they have any future problems or questions. It is also important to 
educate and train users on security awareness. Employees who are trained and informed 
of proper security practices and procedures will be better equipped and therefore more 
trusted to act in such a way as to ensure a more secure environment for the organization. 
They should understand the importance and details of password creation, security policies 


and procedures and their individual responsibilities. 


DoD Directive 8500.2 states that all DoD employees and IT users shall 
maintain a degree of understanding of IA policies and doctrine commensurate with their 
responsibilities [3]. They should be capable of appropriately responding to and reporting 
suspicious activities and conditions, and they should know how to protect the information 


and IT they access. To achieve this understanding, all DoD employees and IT users 
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should receive both initial and periodic refresher IA training. Required versus actual IA 


awareness training shall be a management review item. 


d. Configuration Management 


Configuration management is a vital aspect in the certification and 
accreditation process. A good team of employees that work together using proper 
configuration controls will produce a product and/or system that will be more reliable, 
and thus more secure than the team that does not use configuration management. This 
will help to ensure that the system does not change throughout the lifecycle. The DAA 


should appreciate the value and stability that this adds to the life of system. 


Configuration management establishes and maintains the integrity of a 
system throughout its lifecycle. The system requirements are documented, as well as the 
standards, practices and procedures for the intended configuration management. Version 
control, revision management, and change process maximize efficiency, and enhance 
productivity. | Configuration management consists of the following four tasks: 
identification, control, status accounting, and auditing [7]. For every change that is made 
to an system, the design and requirements of the changed version of the system should be 
updated and identified. The control task of configuration management is done to ensure 
that every change made to the documentation, hardware, software of firmware of the 
system is reviewed and approved by an authorized authority. Status accounting ensures 
that the configuration of the system or product is evaluated and recorded throughout the 
life of the system. The configuration audit verifies that the changes made to they system 


are functionally correct and consistent with the security policy. 


pe DCID 6/3 


The DoD intelligence community follows the guidelines set forth in the 
DITSCAP, and provides additional requirements to complement it. These additional 
requirements are defined in the Director of Central Intelligence Directive 6/3 (DCID 6/3), 
which explains how to protect sensitive compartmented information within information 


systems [8]. 
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The DCID 6/3 explains the concepts of Level of Concern and Protection Level, 
and describes their appropriate use as it pertains to the technical security requirements for 
confidentiality, integrity and availability in intelligence systems. The Level of Concern 
ratings are specific for confidentiality, integrity and availability; each is rated at levels 


Basic, Medium, or High. These Level of Concern ratings are independent of one another. 


The DCID 6/3 manual defines the confidentiality of a system and rates the Level 
Of Concern based on the sensitivity of the information that the Information System 
stores, maintains, transmits, and processes. The confidentiality level is always rated High 


in intelligence systems, since all information processed is intelligence information. 


The Integrity rating, as defined in the DCID 6/3 [8], is based on the degree of 
resistance to unauthorized modification of the information maintained, processed, and 
transmitted by the Information System that is necessary for accomplishing the mission of 
its users. This rating is highest when a system has the greatest need of resistance from 


unauthorized modification. 


Similarly, the Availability rating is based on the degree of ready availability 
required of the information maintained, processed and transmitted by the Information 
System in order to accomplish the mission of its users. This area is rated high when there 


is a great need for information availability. 


Protection Levels in intelligence systems are mainly concerned with the 
confidentiality of a system. Since the level of concern of any intelligence system must 
have a high confidentiality rating, the DAA must ascertain the Protection Levels for a 
system based on the required clearances, formal access approvals and the need-to-know 
of all users who receive information from the IS without manual intervention and reliable 


human review [8]. 


There are five Protection Levels to be considered when accrediting a system. The 


DCID 6/3 defines the five levels as follows: 


e Level 1: All users have the required clearances, formal access approvals, and 


the need-to-know for all information on the system. 
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e Level 2: All users have all required clearances and all required formal access 
approvals, but at least one user lacks the need-to-know for some of the 


information on the system. 


e Level 3: All users have all required clearances, but at least one user lacks 


formal access approval for some of the information on the system. 


e Level 4: At least one user lacks sufficient clearance for access to some of the 


information on the IS, but all users have at least a Secret clearance. 


e Level 5: At least one user lacks any clearance for access to some of the 


information on the system. 


Each progressively higher level increases the risk of loss of classified information, so 
it is important for the DAA to understand the Protection Levels and their inherent 


meaning when deciding whether to accredit a system. 


In the intelligence community, the DAA often delegates his or her authority to 
the DAA Representative. The DAA Representative is a technical expert who must 
ensure the correct operations of system functions and security safeguards, as well as 
the implementation of the security policy, throughout the lifecycle of the system. The 
DAA Representative is also responsible for ensuring that all security tests and 
evaluations are performed, evaluating the perceived threats and vulnerabilities of a 
system, and maintaining the certification and accreditation documentation, as well as 
assessing any changes in the system. The DAA Representative is the principal 
advisor to the DAA, and assumes the responsibility of advising the DAA on all 


technical information regarding the certification and accreditation process. 


18 


Il. DETAILED ANALYSIS OF CERTIFICATION AND 
ACCREDITATION ACTIVITIES 


One key goal of this research is to describe exactly what pieces of the process the 
DAA needs to know to make an informed accreditation decision. This understanding, 
coupled with that of the DAA’s existing knowledge base, will help to further expand the 
preparedness of the DAA. The DAA should understand the basic concepts of the C&A 
process, as well as the definition of the minimum requirements that must be met at each 


certification level. 


The mission is key in all certification and accreditation events. Without mission 
need, there would be no system to accredit. The mission can affect the accreditation 
decision greatly, so it must be understood that the final choice to accredit the system is a 
management decision. The C&A process will drive the requirements definition, risk 
assessment and system evaluation, while the mission will be weighed against residual 


risk in making the final decision. 


The planning and budgeting for certification of a system plays a large role in the 
process. It is important for the DAA to weigh factors such as cost, time, and resources in 
order to understand the scope of the problem. Working within budget limitations and 
determining the appropriate amount of security needed for a system are both vital aspects 
of the process. The boundaries of the system to be certified, as well as any other external 
interfaces that may be related to the system but are not within the certification effort, 


must be fully analyzed. 


Each phase of the certification and accreditation process collects vital information 
that will ultimately lead to the determination of the accreditation decision. Each step in 
the process is performed to make certain that the requirements match the implementation 


and that the SSAA correctly reflects the system. 


The importance of a tightly coupled relationship between the DAA and the 
Certifier during the first three phases of the process cannot be understated. The DAA 
will be relying upon the Certifier for all technical related information of the system, 


which means that both parties will have a close working relationship. The following 
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detailed analysis of the tasks associated with the DAA and Certifier shows how closely 
related their responsibilities are during the certification and accreditation process. 
Because the Certifier tasks are performed in support of the DAA, the Certifier tasks are 
listed first in the following discussion of the process. This will succinctly describe the 
close connection of responsibilities between the Certifier and the DAA, as well as note 


the close relation of tasks. 


1. Definition: Phase 1 Tasks 


Certifier tasks done in support of the DAA: 
e Support the DAA as technical expert in the certification process. 
e Begin vulnerability and risk assessment. 


e Tailor the DITSCAP, determine the appropriate level of effort, and 
prepare the DITSCAP plan. 


e Provide level of effort and resource requirements. 


DAA Responsibilities: 
e Define accreditation requirements. 
e Obtain a threat assessment for the system. 
e Assign a Certifier to conduct vulnerability and risk assessments. 
e Support the DITSCAP tailoring and level of effort determination. 
e Approve the SSAA. 


Because the Certifier advises the DAA on all technical aspects of the system, it is 
important that there be a high level of trust between the DAA and the Certifier. The 
DAA should ensure that the Certifier is experienced with the certification and 


accreditation process, and has a good background in information assurance. 


The negotiation activity is performed during phase one of the certification and 
accreditation process, and is very important because this is when the scope and level of 
effort are determined. All people involved in the system development, acquisition, and 
operation must reach an agreement on the system implementation and how this will be 


reflected in the system security requirements. There are three tasks to be performed 
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during the Negotiation activity, as defined in the DITSCAP: conduct the Certification 
Requirements Review (CRR), agree on the security requirements, level of effort, and 


schedule, and approve the final phase one SSAA [1]. 


The DAA should first review the draft SSAA to ensure that all information 
assurance and security requirements are identified and included. The Certifier, based on 
the decided level of effort, will conduct an assessment of all technical and nomtechnical 
aspects of the system. It will be the Certifier’s responsibility to determine and document 
the tradeoffs between balancing the security risks with the security requirements, 
resources, and schedule. The CRR is a meeting in which all parties involved in the 
process decide and agree upon the schedule, cost, level of effort and approach that will be 
taken during the certification and accreditation process to ensure that all security 
requirements are met. The SSAA will be reviewed completely to make certain that all 


necessary and appropriate information is identified. 


It cannot be stressed enough how important it is to perform a valid and 
comprehensive requirements definition during phase one. Everything done during this 
phase will be used to shape the outcomes for all successive phases. The security 


requirements should be defined concisely, and should include a security policy. 


A Security Requirements Traceability Matrix (SRTM) is used as a tool to refine 
the understanding of the requirements throughout the entire lifecycle of the system. This 
tool is used as a repository to which the developers elaborate on the implementation and 
testing of the requirements. The SRTM will verify that all stated requirements are 
implemented in the system, and will help to find any problems that may arise from poor 
requirements definition. Traceability will ensure that the system is complete, as well as 
provide the basis for future test planning. After the tracing of requirements is finished it 
is important to do additional testing to ensure that there are no errors in the 
implementation that were not listed in the requirements. This kind of ad hoc testing will 


find errors or vulnerabilities that may have been missed in the documentation. 


The system description describes in detail the boundaries of the system, as well as 
system functions, constraints, budget limitations, mission, system users, and the 


development timeline. System criticality/sensitivity is a measure of the importance and 
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nature of the information processed, stored, and transmitted by the IT system to the 
organization’s mission and day-to-day operations [9]. To assess this information in 
context, the system requirements for confidentiality, integrity, and availability must be 


analyzed. 


Risk Management is formally defined as a process concerned with the 
identification, measurement, control, and minimization of security risks in IT systems to 
a level commensurate with the value of the assets protected [1]. This analysis not only 
examines the threats and risks associated with a particular system, but will be the initial 


step in describing the necessary resources for the certification effort. 


The assessment of the vulnerabilities of, and threats to, the system will define the 
possible impact that the loss of information will have on the mission. This analysis is 
used to find the necessary measures to secure the system. During the initial risk analysis, 
the scope, boundary and methodology of the effort will be defined. This part of the 
process will begin the groundwork for the certification and accreditation effort. The 
process of assessing risk will continue throughout the certification effort, assessing each 
vulnerability and resulting safeguard implementation to ensure cost-effectiveness and 
reliability. Risk analysis should be applied throughout the system lifecycle at key 
milestones/decision points (e.g., during requirements definition, completion of 
architecture, system installation) to aid in the decisions concerning the appropriate level 


of residual risk. 


2. Validation: Phase 2 Tasks 


Certifier tasks done in support of the DAA: 
e Report certification results to the DAA. 


e Provide advice to DAA regarding system readiness for phase three, 
Validation. 


DAA Responsibilities: 
e Review system for compliance with the SSAA. 
e Support the following certification activities. 


o Oversee the evaluation of the system. 
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o Review SSAA to ensure it accurately describes the system, threat, 
environment, security requirements, system vulnerabilities, and all 
conditions under which the system will be operated. 


The SSAA is reviewed at each phase to ensure that it complies with all stated 
requirements. If any changes are made during system development or modification, or if 
these changes affect the security posture of the system, this information must be updated 
in the SSAA. The system evaluation will look at both the functional and security 
requirements, which were determined in phase one, and make certain that they are being 
used to shape the design and implementation of the system. The Certifier is responsible 
for conducting an Initial Certification Analysis to determine whether the system is ready 
to be tested and evaluated during phase three, Validation. This analysis will ensure that 
the system functions as stated in the SSAA, that it correctly implements the security 
requirements, and that all components of the system that are critical to security are 


functioning properly. 


The test plans and procedures, as well as the security specification, will be written 
in anticipation of phase three, and added to the SSAA. Depending upon the level of 
certification determined during phase one, the activities involved in the analysis of the 
system architecture, hardware, software, and firmware design will range from minimal 


activities to a comprehensive analysis. 


Security vulnerabilities and residual risk are evaluated during this phase. Evaluated 
vulnerabilities are ranked against threat, ease of exploitation, and potential rewards of the 


exploiter. Threats can be broken down into subgroups as follows: 


e Natural or Environmental Threats (controlled or uncontrolled) 
o Power Outages 
o Natural Disasters (Earthquake, etc) 
o Fire 
e Human Threats 
o Accidental 
= Untrained or Poorly trained users 


o Intentional 
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= Authorized 
e Uncleared users accessing secret information 
e Students accessing faculty information 


=" Unauthorized 


e Hackers, well-funded adversaries, etc. 


A vulnerability is defined by NSTISSI No. 4009 to be a weakness in an IS, 
system security procedures, internal controls, or implementation that could be exploited 
[10]. Each vulnerability demands specialized attention. During the vulnerability 
assessment, any inconsistencies that were found during the system evaluation are 
analyzed to determine how easily they may be exploited. A vulnerability alone does not 
present a threat to the system. Countermeasures such as access control, audits, personnel 
security, physical security, and network security can aid in the reduction of known 


threats. 


3. Verification: Phase 3 Tasks 


Certifier tasks done in support of the DAA: 
e Identify and assess system vulnerabilities. 
e Recommend risk mitigation measures. 
e Report certification results to the DAA. 


e Provide accreditation recommendation. 


DAA responsibilities: 
e Continuously review system for compliance with the SSAA. 
e Assess vulnerabilities and residual risk. 
e Decide if security safeguards and residual risk are acceptable. 
e Approve any corrective actions required. 


e Sign accreditation document, decide to accredit, issue IATO, or terminate 
system operations. 


As with all other phases, this phase begins with the DAA reviewing the SSAA to 
ensure that the system complies with the requirements set forth in the documentation. If 
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any changes to the system have been made, they must be approved by all parties involved 
in the certification effort. The tasks performed during the Validation phase are dependent 
upon the certification level, and done to ensure that the system is functionally ready for 


operation and will operate at an acceptable level of residual risk. 


A detailed vulnerability analysis is done during this phase by means of the 
Security Test and Evaluation (ST&E) procedure which, as defined by the NIACAP, is an 
examination and analysis of the safeguards required to protect an IS, as they have been 
applied in an operational environment, to determine the security posture of that system 
[5]. This test assesses the technical and nontechnical aspects of the security design. 
During the ST&E, the implementation of security features such as audit trails, intrusion 
detection systems, physical and technical aspects of access control, contingency planning, 
automated security tools, policies and procedures, virus programs, and _ security 
processing modes are tested to ensure they conform to the stated security requirements 
and design. If any security problems or vulnerabilities are found during the ST&E, 
every effort is made to fix the system. After the ST&E is performed, a detailed document 
is created which contains the results of the evaluation, and information as to the amount 
of residual risk. Residual risk is the amount of risk remaining after security measures 
have been applied [5]. It is the DAA who must decide what degree of residual risk is 
acceptable. It is important that the Certifier assembles the Test Plan and Procedures 
report and that he or she is an experienced Information Assurance professional. This will 
ensure that the system has been thoroughly tested and that all documented information 


has been properly analyzed. The residual risk assessment is key in this phase. 


The findings documented during this and the previous phases are consolidated 
into a report for the DAA. The Certifier must be prepared to explain the findings to the 
DAA, as well give the system accreditation recommendations. If the system complies 
with the requirements stated in the SSAA, the Certifier will issue a system certification. 
This certifies that the system in question correctly implements the stated security 
requirements. If the Certifier finds any deficiencies in the system, but due to mission 
needs or other reasons, deems the system can operate at an acceptable level of risk, he or 
she will recommend an Interim Approval to Operate (IATO) as long as the deficiencies 


found in the system are fixed within a certain time limit. This is captured in the SSAA. 
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There are instances in which a system does not meet the stated security requirements and 


the system cannot operate within an appropriate level of risk; this leads the Certifier to 


recommend that the system not be accredited. 


When the Certifier has documented the system information and has given his 


recommendation to the DAA, the DAA must review the SSAA and make the final 


accreditation decision. 


4. Post Accreditation: Phase 4 Tasks 


ISSO tasks done in support of the DAA: 


Periodically review the mission statement, operating environment, and 
security architecture to determine compliance with the approved SSAA. 
Maintain the integrity of the site environment and accredited security 
posture. 


Ensure that configuration management adheres to the security policy and 
security requirements. 


Initiate the C&A process when periodic reaccreditation is required or 
system change dictates. 


Certifier tasks done in support of the DAA: 


The Certifier is not involved with the process during this phase. 
Support DAA, system operators and ISSO. 


PM will report security related changes in system to DAA and user 
representative. 


DAA responsibilities: 


Continuously review the system for compliance with the SSAA. 
Review proposed security changes. 

Oversee compliance validation. 

Monitor integrity of system. 


Establish reaccredidation requirements and ensure all assigned systems 
comply with stated requirements. 


Decide to reaccredit, accredit, or IATO, system if SSAA is no longer 
valid, or terminate system operations. 
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To ensure that the system sustains the acceptable level of residual risk determined 
in all earlier phases, the DITSCAP recommends that activities such as SSAA 
maintenance, system operations, security operations, configuration management, and 
compliance validation be performed [1]. This phase begins after a system has been 
accredited. The Certifier no longer is the main point of contact for the system; that 
responsibility will shift to the Program Manager. The ISSO and onsite operations staff 
will ensure that the system maintains the acceptable level of residual risk determined in 


the certification phases. 


Review of any system changes is imperative to ensure that they do not affect the 
threat level of the system. Changes made must be controlled in such a way as to reflect 
the stated configuration management requirements. The accreditation of the system is 
tightly dependent upon the configuration of the system and the way in which it interacts 
with the hardware and software. Any changes made must be reviewed to ensure they do 
not invalidate the accreditation decision. The ISSO is responsible for attending 
configuration management review meetings and relating this information to the Program 


Manager who in turn is responsible for relating this information to the DAA. 


Effective risk-management review is imperative in this phase. Regular 
evaluations of the threats to the system are an important step in ensuring the system 
remains secure. The DAA must encourage the ISSO to perform regular evaluations of 
the system to minimize risk and analyze the performance of the system. The assessment 
of the system security design and architecture, as well as other requirements defined in 
the SSAA, should be performed and scrutinized against the system environment and 
known threats to make certain that the system continues to operate within an acceptable 
level of residual risk. The system must be evaluated and analyzed periodically to ensure 
it complies will all requirements. If any changes in the system have been made, the 
security posture of the system will be in question. Factors that may lead to a change in 
threats are changes in the system mission, architecture, security policy, system risk, 
operational mode, audit results and sensitivity levels of the system. The risk 
management review process is performed to mitigate any possible problems due to 


changes in the system architecture, policy, or design. 
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Compliance verification is performed to ensure that the system is functionally 
operating within the specifications set forth in the SSAA. This will make sure that the 
system is complying with the security requirements by repeating some tasks that were 
taken in phase two and three of the process. This involves the validation of tasks and 
decisions that were made earlier in the process, to ensure that they are being implemented 
correctly in the system. The DITSCAP recommends that, at minimum the following 
tasks be performed: Site and Physical security Validation, Security Procedures 
Validation, System Changes and Related Impact Validation, System Architecture and 
System Interfaces Validation, Management Procedures Validation, and Risk Decisions 
Validation [1]. 


If any changes are made to the system that require re-accreditation, the DITSCAP 


must be followed from phase one. 
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IV. CRITICAL COMPONENTS OF THE CERTIFICATION AND 
ACCREDITATION PROCESS 


The information obtained through the research and interviews showed that there 
are many factors of the process that are perceived as vital. All interviewees were asked 
the same set of questions: when the responses were compiled and analyzed, they revealed 
a set of very similar answers. These questions framed the discussion during each 
meeting, and opened the door to many more facets of the process, which lent a deeper 
understanding and analysis. The subjectivity of the process was given particular attention 
because this factor is rarely noted in any documentation. This is understandable mainly 
because subjectivity is not an area with which one likes to associate risk analysis. People 
like to be assured that the system they are running will correctly implement all 


requirements, and prefer to think of the implementation process as objective. 


The nine main characteristics of the DITSCAP are that it is tailorable, scalable, 
predictable, understandable, relevant, effective, evolvable, repeatable, and responsive. 
These nine characteristics “provide the flexibility needed to support the diverse DoD 
mission requirements. A process with these characteristics is essential to integrating 
information security into the developmental and operational processes of the next 
generation of DoD systems. This process will permit IS to be evaluated based on mission 
versus risk in a computing environment where the systems are interdependent and, 
frequently, interactive”. That the process is predictable ensures that “the process is 
uniformly applicable to any system. It minimizes personal opinion and subjectivity” [1]. 
This is the only acknowledgement in the DITSCAP Manual that subjectivity may have a 
place in the certification and accreditation process. Although the process contains both 
objective and subjective aspects, the DITSCAP aims to minimize the subjectivity by 
defining a set of activities and tasks to be performed during each phase of the process. 
These tasks and activities are followed during each successive phase to ensure the 
implementation meets the design requirements. At the end of each phase the current 
system design is verified to ensure it meets all stated requirements. The verification that 


the system is correctly implementing the requirements at each phase adds a layer of 
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objectivity to the process, which minimizes any subjectivity that may arise during later 


phases. 


The following analysis of the critical aspects of the process will concentrate on 
both the subjective and objective pieces of the process, explicitly noting when 
subjectivity may come into play. There are many key factors of importance to the DAA, 
which will change depending on mission criticality and the type of system to be 
accredited. Each phase will be covered in detail, and the vital aspects of the process as it 


pertains to the DAA will be explained in detail. 


Define system Threat Vulnerability and 
requirements assessment risk assessments 


Tailor DITSCAP, Approve Phase 2 
Determine level of SSAA? 
effort 

No 


Figure 1. Phase 1 Key DAA Activities 





Phase one of the process contains key activities that were explained in detail in 
previous chapters. System requirements must be defined and understood, a threat 
assessment for the system must be performed, as well as vulnerability and risk 
assessments. The tailoring of the DITSCAP and determination of the level of effort for 
the system certification will be performed, and all activities will lead to the approval of 
the SSAA. 


During the requirements definition phase the DAA should evaluate the cost versus 
risk tradeoff, as well as make any necessary changes to the security requirements, 
implementation or procedural controls. The data obtained from the interviews suggested 
that the DAA does not always have the requisite understanding of the many tradeoffs 


concerned with resources, time, cost, and risk. The DAA must understand the risks 
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associated with a system operating in the present environment, and have a firm grasp of 
how the stated requirements match the certification levels and how the system security 
controls are validated. The DAA should have a full understanding of the system 


description and how this maps into the security requirements definition. 


OMB Circular No. A130 defines "adequate security" as security commensurate 
with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized 
access to or modification of information. This includes assuring that systems and 
applications used by the agency operate effectively and provide appropriate 
confidentiality, integrity, and availability, through the use of cost-effective management, 
personnel, operational, and technical controls [4]. Determining the appropriate amount of 
security will be done by evaluating the results of the risk assessments and system 


evaluations. 


During phase one, a decision as to the certification level will be made and it is 
important to understand each factor of that decision. In determining the certification 
level, many factors are considered and given weights, these weights are added together to 
give the appropriate certification level. In some circumstances, the characteristics of a 
particular category might dictate a higher classification level than that indicated by the 
total weights. Among the four certification levels, the weights that identify each level 
overlap each other. This gives the Certifier some room to add his or her own subjective 
opinion. This underscores the need for the Certifier to be adequately prepared and 
experienced in the process to know how to make the appropriate decision. The following 


table illustrates the overlap of the weights as it pertains to the certification levels: 


Level | If the total of the weighing factors are <16. 


Level 2 If the total of the weighing factors are 12-32. 


Level 4 If the total of the weighing factors are 38-50. 





Level 3 If the total of the weighing factors are 24-44. 


Table 2. Certification Levels and Weights [From 1] 
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The determination of the certification level will dictate the amount of analysis 
done for the system. Choosing the appropriate certification level is crucial in ensuring 
the proper implementation, security, and requirements for the system. This subjective 
decision will drive the entire certification and accreditation process. A Level 1 system, as 
defined in the DITSCAP [1], requires completion of the minimum security checklist. 
Some professionals interviewed stated that completing the entire checklist for a level 1 
system was excessive, while others indicated they may at times do additional analysis. 
Successive levels require more rigorous testing and analysis of the system, the decision as 


to the amount of testing done will be made by the Certifier. 


After the certification level has been determined, the DITSCAP will be tailored to 
reflect any specific needs of the system and security requirements. A plan will be created 
which defines all activities necessary to continue the certification and accreditation 
process. All of the information compiled thus far will be documented in the draft SSAA. 
The SSAA must be reviewed by the DAA, as well as the Certifier, t ensure that all 
controls meet the design of the system. After the SSAA has been reviewed and is 
approved, the process will proceed to phase two. At this point, all information in the 
SSAA is finalized and reflects the current state of the system. Once the subjective 
components at any given phase of the process are bound into the SSAA, they become 


objective for all successive phases. 


Phase 2 


Review system for Oversee 
compliance with system 
SSAA evaluation 


Review SSAA to ensure it 
adequately describes: Approve Phase 3 
System, Threat, Environment, SSAA? 


Requirements, Vulnerabilities 





Figure 2. Phase 2 Key DAA Activities 
32 


During phase two of the process, the DAA is responsible for first reviewing the 
system to ensure that it complies correctly with the current SSAA. It is important for the 
DAA to not only review the SSAA in detail, but to also oversee the evaluation of the 
system. As stated in earlier chapters, this system evaluation will look at both the 
functional and security requirements, which were determined in phase one, and make 


certain that they are being used to shape the design and implementation of the system. 


The DITSCAP manual lists certification analysis tasks that must be performed 
during this phase of the process. These tasks list analyses to be completed, and each task 
requires different activities that are dependent upon the certification level that was 
decided during phase one. The higher the level of certification, the more rigorous the 
analysis of the system will be. For example, the integrity analysis of integrated products 
evaluates the integration of commercial and governmental off-the-shelf or Non- 
Developmental Item (NDI) software, hardware and firmware to ensure that their 
integration into the system design complies with the system security architecture and the 
integrity of each product is maintained [1]. This integrity analysis will consist of 
different activities, depending upon the certification level. For a level 1 system, the 
minimum security checklist must be completed. For successively higher levels, more 
meticulous tests and analyses will be performed, such as ensuring that the security 
functionality of each product has been documented. For a level 3 system, in addition to 
those tasks that must be performed for previous levels, the preservation of product 
integrity analysis must include configuration control of hardware and firmware 
components, as well as other very stringent requirements. NCSC-TG-001 states that 
“Computer systems that process and store sensitive or classified information depend on 
the hardware and software to protect that information. It follows that the hardware and 
software themselves must be protected against unauthorized changes that could cause 
protection mechanisms to malfunction or be bypassed completely. For this reason, 
changes to trusted computer systems, during their entire lifecycle, must be carefully 
considered and controlled to ensure that the integrity of the protection mechanism is 
maintained. Only in this way can confidence be provided that the hardware and software 


interpretation of the security policy is maintained accurately and without distortion” [6]. 
a3 


It is important for the DAA to understand that the assurance provided by configuration 
management is beneficial for all systems, not only trusted systems. Configuration 
Management must be performed adequately and is dependent upon the level of 
certification. This will ensure that implementation of the system is running as described 


in the requirements definition, and correctly implementing the security policy. 


The DAA must be aware of potential threats and vulnerabilities to the system, as 
well as understand the different facets of vulnerabilities, such as vulnerabilities caused by 
hardware, software, data, or humans. The determination of the ease of exploitation must 
also be understood, as must the residual risk, other related threats, and the probability that 


the exploitation will occur. 


Training of end users is an incredibly important aspect of the process. Users who 
are properly trained and understand appropriate security related procedures, as well as the 
consequences of not following the stated policies, are easier to trust to make the right 
decisions. The insider threat is the most prevalent of all attacks, and should be noted by 
the DAA. This threat must be countered with tools covered in earlier chapters, such as 


audit, I&A, and policies. 


Comprehensive documentation of the system architecture, requirements, policies, 
and procedures is necessary in ensuring a positive accreditation decision. Documentation 
was stressed repeatedly by each person interviewed as one of the most vital aspects of the 
process. There are many times when poor documentation would lead to a system not 
getting accredited. Poor documentation could present a problem because this may mean 
that the team working on the system did not understand the system. Lack of system 
understanding can lead to poor requirements definition which in turn would lead to the 
testing and evaluation of a system with poorly defined requirements. If the 
documentation is lacking purely because the team did not have enough time, perhaps an 
IATO can be issued with the strict understanding that the documentation will be done 
within a certain time limit. If there are no training manuals or policies in place, or if the 
manuals being used are poorly written and uninformative, this would mean that there are 
many untrained users on the system, which presents another threat, and ultimately would 


lead to no accreditation of the system. If the system to be accredited is highly trusted, it 
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will be imperative to have high level, detailed design documents. The DAA must 
understand the importance of proper documentation for each facet of the system. 
Detailed documentation and good communication among the team will lead to a better 
understanding of the requirements and level of effort necessary to complete the process, 
as well as a relationship where all parties involved can work together to obtain a common 


goal. 


Each task performed in phase two of the process prepares the system for the 
rigorous validation work to be done during phase three. Again, any changes made to the 
security posture of the system are documented and updated in the SSAA. The SSAA 
review is a continual process, which happens throughout each phase and reflects each 


modification or change to the system. 


Phase 3 


Assess 
vulnerabilities 
and residual risk 


Review system for 
compliance with 
SSAA 


Determine whether 


Security safeguards and Approve 
residual risk is acceptable. SSAA? 





Figure 3. Phase 3 Key DAA Activities 


During phase three, the DAA must determine the acceptable level of residual risk 
for the system. The Naval Risk Assessment Guidebook states “To be effective, risk 
assessment activities are performed throughout each stage of a system’s life cycle. The 
output from risk assessments early in a system’s life cycle is used to identify appropriate 
controls for reducing or eliminating risks. Results of risk assessments performed later in 


the system’s life cycle are used by the Designated Approving Authority (DAA) to 
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determine whether a system is adequately protected from risk to allow it to operate 


conditionally or unconditionally within its specified environment. Risk assessment is 


therefore a key activity within the DITSCAP” [11]. 


The risk analysis of a system is a key factor n determining the proper security 
controls, and helps to add an objective layer to the process. Determining the necessary 
requirements and evaluating the system in a methodical manner will ensure that the 
implementation meets the requirements. The risk analysis of a system will review each 
aspect of the system, and determine all possible risks. When risks are found, 
countermeasures are developed to reduce or eliminate the risk. These countermeasures 
will aid in minimizing the risk found during the system analysis. Minimizing risk works 
to reduce the risk of the system to an acceptable level. Defining the “acceptable level” of 
risk is again subjective, because each system will have different risk thresholds. The 
objectivity of this analysis will show how the system security requirements are being met. 
A risk management matrix can be developed to map the shortfalls of the system, as well 
as the correctly implemented features. This matrix is used to concisely show the findings 
of the risk analysis and help aid in the decision as to the appropriate level of residual risk. 
Examining the findings of the analysis will show what requirements are being met and 
how, as well as any necessary fixes or changes the system may need. Deciding whether 
the system adequately meets the requirements will be a decision made by the Certifier 
and the DAA. This subjective decision will be supplemented with the objective findings 
of the analysis and evaluation of the system, mission need and criticality, as well as their 


own experiences with the certification and accreditation process. 


It cannot be stressed enough how important the relationship between the DAA 
and Certifier is. This trust relationship will develop as the process progresses, and the 
DAA must be assured that the information related to him or her by the Certifier is 
sufficient and correct. The DAA must examine the summary statement of the risk 
assessment and understand all risks associated to the confidentiality, integrity, and/or 
availability of the system. The DAA will not be able to examine the SSAA in full 
because of its complexity and length. Nevertheless, it is recommended that he or she, at 


minimum, evaluate the mission need statement, system architecture and overview, and 
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security policy, as well as the test results from the risk assessment performed in phase 


two of the process and the residual risk statement. 


The DAA should ensure that there are procedures in place for securely operating 
the system, and that these procedures are adequate. During the Security Test and 
Evaluation (ST&E) task performed during this phase the security design will be evaluated 
to en ensure the software and hardware features that affect confidentiality, integrity, and 
availability of the system have been properly implemented as described in the SSAA. 
The tasks will be performed according to the certification level of the system that was 
defined during phase one. For a Level 1 system, the Minimum Security Activity 
Checklist will be performed. For higher levels, more rigorous analysis will be done in 
addition to completing the checklist. These task include higher level evaluations of the 
security functionality of the system. Level 3 and 4 systems must test the security 
functions of the system to ensure they verify the integration and operation of all security 
features. In higher certification levels such as this, it is mandatory to have a Trusted 
Facilities Manual (TFM) and Security Feature User’s Guide (SFUG) available, as well as 
validated for correctness. The TFM describes the configuration and installation and 
operation and maintenance of the system, as well as how to effectively use system 
privileges and protection mechanisms. This manual is written for the system 
administrator to ensure that he or she has detailed and accurate information pertaining to 
the system. The SFUG describes the correct system operating procedures according to 
the system security policy, as well as defines responsibilities to ensure the users of the 
system are using the system effectively and appropriately. This user guide is written for 
the general users of the system and should be written in a nomtechnical manner. It 
should describe the security mechanisms that the system provides to the user, such as 
audit and password selection, to ensure that the system is operated as expected [12]. The 
SFUG and TFM are comprehensive documents that contain procedural information for 
both the users of the system and the system administrators. The DAA will have to 
determine the appropriate amount of documented security that defines whether or not 
there are adequate procedures in place. Monitoring any system changes and ensuring 
there is adequate configuration management being performed is a necessary step in 
maintaining a secure system. 
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The ISSO should be involved in the configuration management process. To 
verify that the security aspects do not impact the security posture of the system, he or she 
should be part of the sites process when any changes are to be installed. The 
Configuration Control Board consists of a body of qualified individuals who are 
responsible for having meetings pertaining to the configuration management process, as 
well as giving the final approval for any proposed changes to the system [7]. The ISSO 


should be an active member of this board, and part of the change process. 


The major agreement among all interviewees was that is critically important for 
the DAA to understand the fundamental attributes of the system to be accredited and the 
requirements that must be met. Ensuring that the requirements are defined appropriately 
and validating that the implementation meets the stated requirements are a crucial steps in 
the accreditation decision. To accomplish them it is recommended that the DAA fully 
understand the ST&E reports, defined during phase three. Understanding the deficiencies 
of the system in question, as well as the levels, will aid in giving the DAA an overview of 
how the system does or does not meet all requirements. The Certifier should ensure that 
the risk assessment is valid and must translate the findings, as well as the system 


vulnerabilities and threats, to the DAA. 


After the Certifier has documented the complete system information, he or she 
will give the DAA an accreditation recommendation. By now the requirements have 
been defined and the system has been tested and evaluated, and it is in the hands of the 
DAA to make the accreditation decision. The DAA must then review the SSAA and 


make the final accreditation decision. 


The mission criticality of a system now becomes a key factor in the accreditation 
decision. If the system is critical to the mission, it will have to be accredited. This is one 
way in which the subjectivity of the process comes into light. All facets of the process 
will be performed, requirements will be checked to ensure they are implemented 
properly, tests and evaluations will be done, but ultimately the final decision to accredit 
may be subjective. Mission justification is defined by the DITSCAP manual as “the 
description of the operational capabilities required to perform an assigned mission. This 


includes a description of a system’s capabilities, functions, interfaces, information 
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processed, operational organizations supported, and the intended operational 
environment” [1]. The mission, and all information pertaining to it will influence the 
system environment and security requirements. If the system does not meet all of the 
requirements stated in the SSAA, but mission criticality is such that the system must 
become operational, an IATO is issued. The DAA is involved in the details pertaining to 
the IATO, such as solutions, schedule, security actions, milestones, and duration. The 
DAA must ensure that the system not only satisfies mission needs, but is operating at an 
acceptable level of residual risk. The C&A process, although standardized, is flexible 
enough to allow the system to be evaluated based on mission versus risk tradeoffs. The 
need for the operational mission, mission risk detailed in any certification findings, and 
lifecycle costs must be weighed together to determine the appropriate accreditation 


decision. 


Phase 4 


Review system for Review any 


compliance with security changes 
SSAA 


Oversee compliance 


verification, monitor Is SSAA 
integrity of system still valid? 





Figure 4. Phase 4 Key DAA Activities 


During phase four of the process, the DAA must ensure that the level of security 
previously defined in the SSAA is maintained. The system is now accredited and 
operational, and must be maintained and monitored to make certain the implementation 
continues to meet all stated requirements and that the system operates at the appropriate 
level of residual risk that was previously defined. The system will be continually 
observed throughout its life to ensure that its integrity is maintained. The Program 


Manager is responsible for briefing the DAA with any proposed security changes. The 
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DAA must ensure that the system performance is regularly evaluated, and if any changes 


are made to the system that require reaccreditation, the process will return to phase one. 
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V. CONCLUSIONS 


As the official who assumes responsibility for the residual risk associated with 
operating the system, the DAA relies heavily on the Certifier to provide an accurate 
assessment of that risk. The Certifier will perform most of the assessments, analysis, and 
testing of the system, and will then report the findings to the DAA. Only after being 
thoroughly briefed of all findings, and developing an understanding of the various details 
of the system, can the DAA make the accreditation decision. The DAA’s role in the 
certification and accreditation process is continual, beginning with the determination of 
the level at which the system should be protected, agreement on the system security 
requirements, and support of the certification activities. This study of the role that the 
DAA plays in the certification and accreditation process answers one of the main 
research questions. A second question concerned identification of factors in the C&A 
process that are of critical importance from the point of view of the DAA. These vital 
aspects of the process, as it pertains to the DAA, are those pieces that are necessary for a 


knowledgeable accreditation decision. 


The final question concerned items considered nonessential from the point of 
view of the DAA. The pieces of the process that have been downplayed should in no 
way be considered to be less than vital to the process as a whole. The rationale for 
reduced emphasis on these aspects of the process is that the DAA should not be expected 
to have the time or the resources to know every aspect of the process, but should 
understand the core aspects of the process and the system in question. The Certifier will 
relate all technical details of the system to the DAA to ensure that he or she has enough 


information to make an informed accreditation decision. 


The analysis of the certification and accreditation process as it pertains to the 
DAA stresses the vital aspects of the process that should be looked at more closely. The 
mission drives the process, and influences the ultimate accreditation decision. Mission 
criticality is key in defining the level of effort and requirements necessary for the 


certification and accreditation of the system. The mission justification and mission 
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criticality will drive the requirements definition as well as the degree of testing and 


evaluation to which the system will be subjected. 


Subjectivity in the process was given particular attention. This was stressed 
because the presence of subjectivity in the process is largely ignored in the 
documentation. All parties interviewed agreed that there are some aspects of the process 
that can be seen as subjective. Ensuring that the necessary and sufficient definition of 
requirements is done early, and that proper risk analysis and assessment techniques are 
used, will help to reduce some subjectivity of the process. Although the amount of 
subjectivity can be decreased, there will always remain decisions that are to some degree 
subjective. This needs to be understood by both the DAA and Certifier, and underscores 
the importance of a good working relationship between them. The DITSCAP defines 
rigorous phases, which ensure that the system design meets the implementation and 


minimizes the subjectivity of the process even when the mission may dictate otherwise. 


Thorough and valid definition of security requirements is a vital aspect of the 
process. This was agreed upon by all people interviewed, and should be well understood 
by the DAA. The requirements definition is performed during phase one of the process, 
and will drive all tasks and activities performed in subsequent phases. Ensuring that the 
system is correctly implementing the requirements and that the system design meets the 
system specifications will be determined by those requirements defined during the first 
phase of the process. Not only will adequate definition of requirements lead to a properly 


secured system, it will ensure the process is performed correctly. 


The objective of the DITSCAP is to establish a standard process, set of activities, 
general tasks, and a management structure to certify and accredit information systems 
that will maintain the information assurance and security posture of the Defense 
Information Infrastructure (DII). This process supports an _ infrastructure-centric 
approach, with a focus on the mission, environment, and architecture [1]. This process is 
applied to all DoD systems and, when properly conducted, ensures an appropriate level of 
confidentiality, integrity and availability to make certain that the Defense operations are 


not disrupted and the DoD missions are accomplished. 
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The interviews and documentation of the certification and accreditation process 
led to a deeper understanding of the tasks and activities that surround the process as it 
pertains to the DAA. These tasks and activities are the cornerstone of the process, and 


should be understood and performed in detail to ensure the system to be accredited is 


correctly implementing all stated requirements. 
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C&A 
DAA 
DITSCAP 


LIST OF ACRONYMS 


certification and accreditation 
Designated Approval Authority 


DoD Information Technology Security Certification 
Accreditation Process 


Information Assurance 

Interim Approval To Operate 

Information System 

Information Systems Security Officer 
Information Technology 

Office of Management and Budget 
Requirements Traceability Matrix 
Security Features Users Guide 

Security Requirements Traceability Matrix 
System Security Authorization Agreement 
Security Tests and Evaluation 


Trusted Facilities Manual 
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